Phishfarm: a Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists

Total Page:16

File Type:pdf, Size:1020Kb

Phishfarm: a Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists Adam Oest˚, Yeganeh Safaei˚, Adam Doupe´˚, Gail-Joon Ahn˚x, Brad Wardman:, Kevin Tyers: ˚Arizona State University, x Samsung Research, :PayPal, Inc. faoest, ysafaeis, doupe, [email protected], fbwardman, [email protected] Abstract—Phishing attacks have reached record volumes in lucrative data, phishers are engaged in a tireless cat-and- recent years. Simultaneously, modern phishing websites are grow- mouse game with the ecosystem and seek to stay a step ahead ing in sophistication by employing diverse cloaking techniques of mitigation efforts to maximize the effectiveness of their to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing attacks. Although new phishing attack vectors are emerging the resilience of anti-phishing entities and browser blacklists to (e.g. via social media as a distribution channel [5]), malicious attackers’ evasion efforts. We use PhishFarm to deploy 2,380 actors still primarily deploy “classic” phishing websites [2]. live phishing sites (on new, unique, and previously-unseen .com These malicious sites are ultimately accessed by victim users domains) each using one of six different HTTP request filters who are tricked into revealing sensitive information. based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the Today’s major web browsers, both on desktop and mobile occurrence and timeliness of native blacklisting in major web platforms, natively incorporate anti-phishing blacklists and browsers to gauge the effectiveness of protection ultimately display prominent warnings when a user attempts to visit a extended to victim users and organizations. Our experiments known malicious site. Due to their ubiquity, blacklists are revealed shortcomings in current infrastructure, which allows a user’s main and at times only technical line of defense some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple against phishing. Unfortunately, blacklists suffer from a key cloaking techniques representative of real-world attacks— in- weakness: they are inherently reactive [6]. Thus, a mali- cluding those based on geolocation, device type, or JavaScript— cious website will generally not be blocked until its nature were effective in reducing the likelihood of blacklisting by over is verified by the blacklist operator. Phishing sites actively 55% on average. We also discovered that blacklisting did not exploit this weakness by leveraging cloaking techniques [7] to function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly avoid or delay detection by blacklist crawlers. Cloaking has vulnerable to phishing attacks. Following disclosure of our only recently been scrutinized in the context of phishing [8]; findings, anti-phishing entities are now better able to detect and to date, there have been no formal studies of the impact mitigate several cloaking techniques (including those that target of cloaking on blacklisting effectiveness (despite numerous mobile users), and blacklisting has also become more consistent empirical analyses of blacklists in general). This shortcoming between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately is important to address, as cybercriminals could potentially be protected. Our PhishFarm framework is designed for continuous causing ongoing damage without the ecosystem’s knowledge. monitoring of the ecosystem and can be extended to test future In this paper, we carry out a carefully-controlled experiment state-of-the-art evasion techniques used by malicious websites. to evaluate how 10 different anti-phishing entities respond to reports of phishing sites that employ cloaking techniques I. INTRODUCTION representative of real-world attacks. We measure how this cloaking impacts the effectiveness (i.e. site coverage and Phishing has maintained record-shattering levels of volume timeliness) of native blacklisting across major desktop and in recent years [1] and continues to be a major threat to today’s mobile browsers. We performed preliminary tests in mid-2017, Internet users. In 2018, as many as 113,000 unique monthly disclosed our findings to key entities (including Google Safe phishing attacks were reported to the APWG [2]. Beyond dam- Browsing, Microsoft, browser vendors, and the APWG), and aging well-known brands and compromising victims’ identi- conducted a full-scale retest in mid-2018. Uniquely and unlike ties, financials, and accounts, cybercriminals annually inflict prior work, we created our own (innocuous) PayPal-branded millions of dollars of indirect damage due to the necessity phishing websites (with permission) to minimize confounding of an expansive anti-abuse ecosystem which serves to protect effects and allow for an unprecedented degree of control. the targeted companies and consumers [3]. With an ever- Our work reveals several shortcomings within the anti- increasing number of Internet users and services— in particu- phishing ecosystem and underscores the importance of robust, lar on mobile devices [4]— the feasibility of social engineering ever-evolving anti-phishing defenses with good data sharing. on a large scale is also increasing. Given the potential for Through our experiments, we found that cloaking can prevent browser blacklists from adequately protecting users by signif- icantly decreasing the likelihood that a phishing site will be phisher, who will attempt to fraudulently use it for monetary blacklisted, or substantially delaying blacklisting, in particular gain either directly or indirectly [14]. when geolocation- or device-based request filtering techniques Phishing attacks are ever-evolving in response to ecosystem are applied. Moreover, we identified a gaping hole in the standards and may include innovative components that seek protection of top mobile web browsers: shockingly, mobile to circumvent existing mitigations. A current trend (mimick- Chrome, Safari, and Firefox failed to show any blacklist ing the wider web) is the adoption of HTTPS by phishing warnings between mid-2017 and late 2018 despite the presence sites, which helps them avoid negative security indicators in of security settings that implied blacklist protection. As a browsers and may give visitors a false sense of security [15], result of our disclosures, users of the aforementioned mobile [16]. At the end of 2017, over 31% of all phishing sites browsers now receive comparable protection to desktop users, reported to the APWG used HTTPS, up from less than 5% and anti-phishing entities now better protect against some of a year prior [2]. Another recent trend is the adoption of the cloaking techniques we tested. We propose a number of redirection links, which allows attackers to distribute a link additional improvements which could further strengthen the that differs from the actual phishing landing page. Redirection ecosystem, and we will freely release the PhishFarm frame- chains commonly consist of multiple hops [17], [18], each work1 to interested researchers and security organizations potentially leveraging a different URL shortening service or for continued testing of anti-phishing systems and potential open redirection vulnerability [19]. Notably, redirection allows adaptation for measuring variables beyond just cloaking. Thus, the number of unique phishing links being distributed to grow the contributions of this work are as follows: well beyond the number of unique phishing sites, and such ‚ A controlled empirical study of the effects of server-side links might thus better slip past spam filters or volume-based request filtering on blacklisting coverage and timeliness phishing detection [20]. Furthermore, redirection through well- in modern desktop and mobile browsers. known services such as bit.ly may better fool victims [5], ‚ A reusable, automated, scalable, and extensible frame- though it also allows the intermediaries to enact mitigations. work for carrying out our experimental design. Ultimately, phishers cleverly attempt to circumvent existing ‚ Identification of actionable real-world limitations in the controls in an effort to maximize the effectiveness of their current anti-phishing ecosystem. attacks. The anti-phishing community should seek to predict ‚ Enhancements to blacklisting infrastructure after disclo- such actions and develop new defenses while ensuring that sure to anti-phishing entities, including phishing protec- existing controls remain resilient. tion in mobile versions of Chrome, Safari, and Firefox. II. BACKGROUND B. Phishing Kits Phishing is a type of social engineering attack that seeks A phishing kit is a unified collection of tools used to to trick victims into disclosing sensitive information, often via deploy a phishing site on a web server [21]. Kits are generally a fraudulent website which impersonates a real organization. designed to be easy to deploy and configure; when combined Attackers (phishers) then use the stolen data for their own with mass-distribution tools [9], they greatly lower the barrier monetary gain [9], [10], [11]. Cybercriminals are vehement to entry and enable phishing on a large scale [22]. They are in their attacks and the scale of credential theft cannot be part of the cybercrime-as-a-service
Recommended publications
  • Adsense-Blackhat-Edition.Pdf
    AdSense.BlackHatEditionV.coinmc e Tan Vince Tan AdSense.BlackHatEdition.com i Copyright Notice All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical. Any unauthorized duplication, reproduction, or distribution is strictly prohibited and prosecutable by the full-extent of the law. Legal Notice While attempts have been made to verify the information contained within this publication, the author, publisher, and anyone associated with its creation, hereby assume absolutely no responsibility as it pertains to its contents and subject matter; nor with regards to it’s usage by the public or in any matters concerning potentially erroneous and/or contradictory information put forth by it. Furthermore, the reader agrees to assume all accountability for the usage of any information obtained from it; and heretofore, completely absolves Vince Tan, the publishers and any associates involved, of any liability for it whatsoever. Additional Notice: This book was obtained at http://AdSense.BlackHatEdition.com . For a limited time, when you register for free, you will be able to earn your way to get the latest updates of this ebook, placement on an invitation-only list to participate in exclusive pre-sales, web seminars, bonuses & giveaways, and be awarded a “special backdoor discount” that you will never find anywhere else! So if you haven’t yet, make sure to visit http://AdSense.BlackHatEdition.com and register now, before it’s too late! i Table of Contents Introduction
    [Show full text]
  • Android Euskaraz Windows Euskaraz Android Erderaz Windows Erderaz GNU/LINUX Sistema Eragilea Euskeraz Ubuntu Euskaraz We
    Oharra: Android euskaraz Windows euskaraz Android erderaz Windows erderaz GNU/LINUX Sistema Eragilea euskeraz Ubuntu euskaraz Web euskaraz Ubuntu erderaz Web erderaz GNU/LINUX Sistema Eragilea erderaz APLIKAZIOA Bulegotika Adimen-mapak 1 c maps tools 2 free mind 3 mindmeister free 4 mindomo 5 plan 6 xmind Aurkezpenak 7 google slides 8 pow toon 9 prezi 10 sway Bulegotika-aplikazioak 11 andropen office 12 google docs 13 google drawing 14 google forms 15 google sheets 16 libreoffice 17 lyx 18 office online 19 office 2003 LIP 20 office 2007 LIP 21 office 2010 LIP 22 office 2013 LIP 23 office 2016 LIP 24 officesuite 25 wps office 26 writer plus 1/20 Harrobi Plaza, 4 Bilbo 48003 CAD 27 draftsight 28 librecad 29 qcad 30 sweet home 31 timkercad Datu-baseak 32 appserv 33 dbdesigner 34 emma 35 firebird 36 grubba 37 kexi 38 mysql server 39 mysql workbench 40 postgresql 41 tora Diagramak 42 dia 43 smartdraw Galdetegiak 44 kahoot Maketazioa 45 scribus PDF editoreak 46 master pdf editor 47 pdfedit pdf escape 48 xournal PDF irakurgailuak 49 adobe reader 50 evince 51 foxit reader 52 sumatraPDF 2/20 Harrobi Plaza, 4 Bilbo 48003 Hezkuntza Aditzak lantzeko 53 aditzariketak.wordpress 54 aditz laguntzailea 55 aditzak 56 aditzak.com 57 aditzapp 58 adizkitegia 59 deklinabidea 60 euskaljakintza 61 euskera! 62 hitano 63 ikusi eta ikasi 64 ikusi eta ikasi bi! Apunteak partekatu 65 flashcard machine 66 goconqr 67 quizlet 68 rincon del vago Diktaketak 69 dictation Entziklopediak 70 auñamendi eusko entziklopedia 71 elhuyar zth hiztegi entziklopedikoa 72 harluxet 73 lur entziklopedia tematikoa 74 lur hiztegi entziklopedikoa 75 wikipedia Esamoldeak 76 AEK euskara praktikoa 77 esamoldeapp 78 Ikapp-zaharrak berri Estatistikak 79 pspp 80 r 3/20 Harrobi Plaza, 4 Bilbo 48003 Euskara azterketak 81 ega app 82 egabai 83 euskal jakintza 84 euskara ikasiz 1.
    [Show full text]
  • In-Depth Evaluation of Redirect Tracking and Link Usage
    Proceedings on Privacy Enhancing Technologies ; 2020 (4):394–413 Martin Koop*, Erik Tews, and Stefan Katzenbeisser In-Depth Evaluation of Redirect Tracking and Link Usage Abstract: In today’s web, information gathering on 1 Introduction users’ online behavior takes a major role. Advertisers use different tracking techniques that invade users’ privacy It is common practice to use different tracking tech- by collecting data on their browsing activities and inter- niques on websites. This covers the web advertisement ests. To preventing this threat, various privacy tools are infrastructure like banners, so-called web beacons1 or available that try to block third-party elements. How- social media buttons to gather data on the users’ on- ever, there exist various tracking techniques that are line behavior as well as privacy sensible information not covered by those tools, such as redirect link track- [52, 69, 73]. Among others, those include information on ing. Here, tracking is hidden in ordinary website links the user’s real name, address, gender, shopping-behavior pointing to further content. By clicking those links, or or location [4, 19]. Connecting this data with informa- by automatic URL redirects, the user is being redirected tion gathered from search queries, mobile devices [17] through a chain of potential tracking servers not visible or content published in online social networks [5, 79] al- to the user. In this scenario, the tracker collects valuable lows revealing further privacy sensitive information [62]. data about the content, topic, or user interests of the This includes personal interests, problems or desires of website. Additionally, the tracker sets not only third- users, political or religious views, as well as the finan- party but also first-party tracking cookies which are far cial status.
    [Show full text]
  • Clique-Attacks Detection in Web Search Engine for Spamdexing Using K-Clique Percolation Technique
    International Journal of Machine Learning and Computing, Vol. 2, No. 5, October 2012 Clique-Attacks Detection in Web Search Engine for Spamdexing using K-Clique Percolation Technique S. K. Jayanthi and S. Sasikala, Member, IACSIT Clique cluster groups the set of nodes that are completely Abstract—Search engines make the information retrieval connected to each other. Specifically if connections are added task easier for the users. Highly ranking position in the search between objects in the order of their distance from one engine query results brings great benefits for websites. Some another a cluster if formed when the objects forms a clique. If website owners interpret the link architecture to improve ranks. a web site is considered as a clique, then incoming and To handle the search engine spam problems, especially link farm spam, clique identification in the network structure would outgoing links analysis reveals the cliques existence in web. help a lot. This paper proposes a novel strategy to detect the It means strong interconnection between few websites with spam based on K-Clique Percolation method. Data collected mutual link interchange. It improves all websites rank, which from website and classified with NaiveBayes Classification participates in the clique cluster. In Fig. 2 one particular case algorithm. The suspicious spam sites are analyzed for of link spam, link farm spam is portrayed. That figure points clique-attacks. Observations and findings were given regarding one particular node (website) is pointed by so many nodes the spam. Performance of the system seems to be good in terms of accuracy. (websites), this structure gives higher rank for that website as per the PageRank algorithm.
    [Show full text]
  • Spamming Botnets: Signatures and Characteristics
    Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+,IvanOsipkov+ Microsoft Research, Silicon Valley +Microsoft Corporation {yxie,fangyu,kachan,rina,ghulten,ivano}@microsoft.com ABSTRACT botnet infection and their associated control process [4, 17, 6], little In this paper, we focus on characterizing spamming botnets by effort has been devoted to understanding the aggregate behaviors of leveraging both spam payload and spam server traffic properties. botnets from the perspective of large email servers that are popular Towards this goal, we developed a spam signature generation frame- targets of botnet spam attacks. work called AutoRE to detect botnet-based spam emails and botnet An important goal of this paper is to perform a large scale analy- membership. AutoRE does not require pre-classified training data sis of spamming botnet characteristics and identify trends that can or white lists. Moreover, it outputs high quality regular expression benefit future botnet detection and defense mechanisms. In our signatures that can detect botnet spam with a low false positive rate. analysis, we make use of an email dataset collected from a large Using a three-month sample of emails from Hotmail, AutoRE suc- email service provider, namely, MSN Hotmail. Our study not only cessfully identified 7,721 botnet-based spam campaigns together detects botnet membership across the Internet, but also tracks the with 340,050 unique botnet host IP addresses. sending behavior and the associated email content patterns that are Our in-depth analysis of the identified botnets revealed several directly observable from an email service provider. Information interesting findings regarding the degree of email obfuscation, prop- pertaining to botnet membership can be used to prevent future ne- erties of botnet IP addresses, sending patterns, and their correlation farious activities such as phishing and DDoS attacks.
    [Show full text]
  • Windows 7 Operating Guide
    Welcome to Windows 7 1 1 You told us what you wanted. We listened. This Windows® 7 Product Guide highlights the new and improved features that will help deliver the one thing you said you wanted the most: Your PC, simplified. 3 3 Contents INTRODUCTION TO WINDOWS 7 6 DESIGNING WINDOWS 7 8 Market Trends that Inspired Windows 7 9 WINDOWS 7 EDITIONS 10 Windows 7 Starter 11 Windows 7 Home Basic 11 Windows 7 Home Premium 12 Windows 7 Professional 12 Windows 7 Enterprise / Windows 7 Ultimate 13 Windows Anytime Upgrade 14 Microsoft Desktop Optimization Pack 14 Windows 7 Editions Comparison 15 GETTING STARTED WITH WINDOWS 7 16 Upgrading a PC to Windows 7 16 WHAT’S NEW IN WINDOWS 7 20 Top Features for You 20 Top Features for IT Professionals 22 Application and Device Compatibility 23 WINDOWS 7 FOR YOU 24 WINDOWS 7 FOR YOU: SIMPLIFIES EVERYDAY TASKS 28 Simple to Navigate 28 Easier to Find Things 35 Easy to Browse the Web 38 Easy to Connect PCs and Manage Devices 41 Easy to Communicate and Share 47 WINDOWS 7 FOR YOU: WORKS THE WAY YOU WANT 50 Speed, Reliability, and Responsiveness 50 More Secure 55 Compatible with You 62 Better Troubleshooting and Problem Solving 66 WINDOWS 7 FOR YOU: MAKES NEW THINGS POSSIBLE 70 Media the Way You Want It 70 Work Anywhere 81 New Ways to Engage 84 INTRODUCTION TO WINDOWS 7 6 WINDOWS 7 FOR IT PROFESSIONALS 88 DESIGNING WINDOWS 7 8 WINDOWS 7 FOR IT PROFESSIONALS: Market Trends that Inspired Windows 7 9 MAKE PEOPLE PRODUCTIVE ANYWHERE 92 WINDOWS 7 EDITIONS 10 Remove Barriers to Information 92 Windows 7 Starter 11 Access
    [Show full text]
  • Malware and Social Engineering Attacks
    chapter 2 Malware and Social Engineering Attacks After completing this chapter, you will be able to do the following: ● Describe the differences between a virus and a worm ● List the types of malware that conceals its appearance ● Identify different kinds of malware that is designed for profit ● Describe the types of social engineering psychological attacks ● Explain physical social engineering attacks 41 42 Chapter 2 Malware and Social Engineering Attacks Today’s Attacks and Defenses Successful software companies use a variety of strategies to outsell their competition and gain market share. These strategies may include selling their software at or below a com- petitor’s price, offering better technical support to customers, or providing customized software for clients. And if all else fails, a final strategy can be to buy out the competition through a merger or acquisition. These strategies are also being widely used by attackers who sell their attack software to others. Approximately two out of three malicious Web attacks have been developed using one of three popular attack toolkits. The toolkits are MPack (the most popular attack toolkit, which has almost half of the attacker toolkit mar- ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through the underground attacker community, are used to create customized malware that can steal personal information, execute fraudulent financial transactions, and infect computers without the user’s knowledge. The toolkits range in price from only $40 to as much as $8,000. The developers behind these attack toolkits compete fiercely with each other. Some of their tactics include updating the toolkits to keep ahead of the latest security defenses, advertising their attack toolkits as cheaper than the competition, and provid- ing technical support to purchasers.
    [Show full text]
  • Copyrighted Material
    00929ftoc.qxd:00929ftoc 3/13/07 2:02 PM Page ix Contents Acknowledgments vii Introduction xvii Chapter 1: You: Programmer and Search Engine Marketer 1 Who Are You? 2 What Do You Need to Learn? 3 SEO and the Site Architecture 4 SEO Cannot Be an Afterthought 5 Communicating Architectural Decisions 5 Architectural Minutiae Can Make or Break You 5 Preparing Your Playground 6 Installing XAMPP 7 Preparing the Working Folder 8 Preparing the Database 11 Summary 12 Chapter 2: A Primer in Basic SEO 13 Introduction to SEO 13 Link Equity 14 Google PageRank 15 A Word on Usability and Accessibility 16 Search Engine Ranking Factors 17 On-Page Factors 17 Visible On-Page Factors 18 Invisible On-Page Factors 20 Time-Based Factors 21 External FactorsCOPYRIGHTED MATERIAL 22 Potential Search Engine Penalties 26 The Google “Sandbox Effect” 26 The Expired Domain Penalty 26 Duplicate Content Penalty 27 The Google Supplemental Index 27 Resources and Tools 28 Web Analytics 28 00929ftoc.qxd:00929ftoc 3/13/07 2:02 PM Page x Contents Market Research 29 Researching Keywords 32 Browser Plugins 33 Community Forums 33 Search Engine Blogs and Resources 34 Summary 35 Chapter 3: Provocative SE-Friendly URLs 37 Why Do URLs Matter? 38 Static URLs and Dynamic URLs 38 Static URLs 39 Dynamic URLs 39 URLs and CTR 40 URLs and Duplicate Content 41 URLs of the Real World 42 Example #1: Dynamic URLs 42 Example #2: Numeric Rewritten URLs 43 Example #3: Keyword-Rich Rewritten URLs 44 Maintaining URL Consistency 44 URL Rewriting 46 Installing mod_rewrite 48 Testing mod_rewrite 49 Introducing
    [Show full text]
  • Norton™ Utilities Premium: User Manual
    Norton™ Utilities Premium User Manual Norton Utilities Premium User Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Copyright © 2018 Symantec Corporation. All rights reserved. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
    [Show full text]
  • Highly Predictive Blacklisting
    We Introduce the Highly predIc- tive Blacklist (HPB) service, which is now Jian Zhang, Philli P P o rr a S , a n d JohanneS ullRich integrated into the DShield.org portal [1]. The HPB service employs a radically differ- ent approach to blacklist formulation than that of contemporary blacklist formulation highly predictive strategies. At the core of the system is a ranking scheme that measures how closely blacklisting related an attack source is to a blacklist con- Jian Zhang is an assistant professor in the depart- sumer, based on both the attacker’s history ment of computer science at Louisiana State and the most recent firewall log produc- University. His research interest is in developing new machine-learning methods for improving tion patterns of the consumer. Our objec- cybersecurity. tive is to construct a customized blacklist [email protected] per repository contributor that reflects the Phillip Porras is a Program Director of systems se- most probable set of addresses that may curity research in the Computer Science Laboratory attack the contributor in the near future. at SRI International. His research interests include malware and intrusion detection, high-assurance We view this service as a first experimental computing, network security, and privacy-preserv- ing collaborative systems. step toward a new direction in high-quality [email protected] blacklist generation. As Chief Research Officer for the SANS Institute, For nearly as long as we have been detecting mali- Johannes Ullrich is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC cious activity in networks, we have been compil- Gold program.
    [Show full text]
  • Redirect URL
    July 2012 Redirect URL User Guide Welcome to AT&T Website Solutions SM We are focused on providing you the very best web hosting service including all the tools necessary to establish and maintain a successful website. This document contains information that will help you to redirect pages from your site to other locations. You can use it to create a new Domain Redirection as well. © 2012 AT&T Intellectual Property. All rights reserved. AT&T products and services are provided or offered by subsidiaries and affiliates of AT&T Inc. under the AT&T brand and not by AT&T Inc. AT&T, AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other trademarks are the property of their owners. This document is not an offer, commitment, representation or warranty by AT&T and is subject to change. Your Web Hosting service is subject to the Terms and Conditions (T&Cs), which may be found at http://webhosting.att.com/Terms-Conditions.aspx . Service terms and Fees are subject to change without notice. Please read the T&Cs for additional information. © 2010 AT&T Intellectual Property. All rights re served. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Table of ContenContentstststs Introduction ........................................................................................................................................................ 3 Create a New Redirect ...................................................................................................................................
    [Show full text]
  • Detection of Malicious Urls by Correlating the Chains of Redirection in an Online Social Network (Twitter)
    International Journal of Research Studies in Computer Science and Engineering (IJRSCSE) Volume 1, Issue 3, July 2014, PP 33-38 ISSN 2349-4840 (Print) & ISSN 2349-4859 (Online) www.arcjournals.org Detection of Malicious URLs by Correlating the Chains of Redirection in an Online Social Network (Twitter) 1MD.Sabeeha, SK.Karimullah, 2P.Babu 1PG Schalor,CSE, Quba college of engineering and technology 2, Associate professor, QCET, NELLORE ABSTRACT: Twitter is prone to malicious tweets containing URLs for spam, phishing, and malware distribution. Conventional Twitter spam detection schemes utilize account features such as the ratio of tweets containing URLs and the account creation date, or relation features in the Twitter graph. These detection schemes are ineffective against feature fabrications or consume much time and resources. Conventional suspicious URL detection schemes utilize several features including lexical features of URLs, URL redirection, HTML content, and dynamic behavior. However, evading techniques such as time-based evasion and crawler evasion exist. In this paper, we propose WARNINGBIRD, a suspicious URL detection system for Twitter. Our system investigates correlations of URL redirect chains extracted from several tweets. Because attackers have limited resources and usually reuse them, their URL redirect chains frequently share the same URLs. We develop methods to discover correlated URL redirect chains using the frequently shared URLs and to determine their suspiciousness. We collect numerous tweets from the Twitter public timeline and build a statistical classifier using them. Evaluation results show that our classifier accurately and efficiently detects suspicious URLs. We also present WARNINGBIRD as a near real-time system for classifying suspicious URLs in the Twitter stream.
    [Show full text]